CNA 432/532 OSI Layers Security

CNA 432/532 OSI Layers Security
Location: ECC 116
Semester: Fall 2012
Professor: Dr. Amos Olagunju
Office Hrs: 3-4 MW,
|Office: ECC256
Other hours by appointment |
Days: Thursday
Times: 5:00-7:50 pm
E-mail: [email protected]
Phone: (320) 308-5696
Course Description
Security models and protocols for each OSI layer. Network and web security implementation,
monitoring, intrusion, recovery and countermeasures.
Prerequisite: CNA 426 or BCIS 353 or consent of instructor.
Course Web Site: http://web.stcloudstate.edu/aoolagunju/amos1/cna432/CNA432.html
Textbook:
David Mackey: Web Security for Network and System Administrators, Course
Technology, Incorporated, 2003, ISBN 0-619-06495-1
Supplementary Materials: Recent ACM and IEEE articles on OSI Layers Security.
Course Objective
To provide skills on technologies, terms, and processes related to Internet security.
Student Learning Outcomes
1.
2.
3.
4.
5.
6.
7.
Assess security education, risk and incident management.
Identify attacks to IT and Office, and treat taxonomy.
Install network devices, addressing and defense in depth.
Evaluate packet sniffers, threats and solutions to TCP/IP and wireless networks.
Manage preventive, detective and corrective security features for a Linux LAN.
Install preventive and detective measures for UNIX and Windows.
Assess legal concerns, defense probing, and exploitation of security vulnerabilities.
Attendance: Attendance to every class is strongly recommended. In case of an absence, it is
the responsibility of any student to make up work and get notes from other students. If the
student must miss a scheduled test, it is imperative that s/he calls or e-mail me as soon as
possible before the test. Acceptable excuses would include medical emergencies.
Grading: Grades will be distributed on a 5% scale (100% to 95% for an A+, 90% to 94% for an
A, 89% to 85% for a B+, 80% to 84% for a B, etc) and will be compiled from:

30% of the grade is based on tests.



30% of the grade is based on completing the end of chapter case project assignments.
20% of the grade is based on completing assignments.
20% of the grade is based on a final term project.
Assistance: Study groups among the students are useful in reinforcing concepts. The best way
to keep from falling behind the teacher is to stay one step ahead! Study the chapter(s) that will
be covered before each class.
Schedule: This is a tentative schedule for this class. If it is necessary to change the schedule,
students will be given as much advance notice as possible. Students are expected to have
already read the assigned chapters before the class and to come to class prepared.
ii
Course Outline
Week
1
Topics
Chapter
Reading
Specific Subtopics
Introduction to
Information
Security
Security Processes
1
Threats to IT Assets
3
Encryption
4
Fundamentals of
Network Security
5
Network Security
Threats
6
Packet Sniffers; Threats and solutions to
TCP/IP and Wireless networks
Intrusion Detection
7
IDS, NIDS, HIDS and Honeypots
Architecture and Methodologies
8
Preventive, Detective and Corrective
Security Measures
Preventive and Detective Features of
UNIX
Preventive and Detective Features of
Windows
Policy Verification; Security Standards
and Audits; Audit Process and Action
2
2
CIA and PPP Triads; Risk Assessment;
Building Security Policies; Security
Resources
Security Education, Advisory and Issue
management; Risk and Incident
Management
Attacks to IT and Office; Treat Taxonomy
3
4
5
6
7
8
9
10
11
12
Mid-Term
Fundamentals of
System Security
UNIX System
Security
Windows System
Security
Standards and
Compliance
Security Testing
13
14
Symmetric and Asymmetric Encryption;
Hashing Algorithms; Cryptanalysis Attack
Network Devices, Addressing and Defense
in Depth
9
10
11
12
Legal Concerns; Defense Probing;
Exploiting Security Vulnerabilities
Hands-on Project
Annualized Loss
Expectancy, ARO and
TCO Computation
Building Red Hat
Linux Security
Resource Center
Using Business
Intelligence Against a
Company
Research and Use
asymmetric algorithms
Install and Configure
iptables to Simulate a
Firewall
Assess Wireless
Network
Vulnerabilities at
SCSU, and for SNMP
Design a Protected
Network
Administer Security for
Servers Running Linux
Install OpenSSH client
and Authentication
Investigate Firewall on
Windows Server 2003
Review TCSEC and
ISO Requirements and
Audit Reports for
Windows
Configure and Use
nessus utility to
uncover vulnerabilities
Final Project
Presentations
NOTE: The above schedules and procedures for this course are subject to change in the event
of extenuating circumstances.
iii
Appendix
The following items as found in NSTISSI 4011, dated 20 June 1994 are specifically covered in
this class. See http://www.cnss.gov/Assets/pdf/nstissi_4011.pdf for details. Although not
explicitly listed as topics or specific subtopics, the following terms and concepts are covered in
depth via design, implementation and evaluation of alternative security protocols and systems.
•
•
•
•
•
•
•
•
Physical security of cables, environmental controls humidity and air condition via HVAC
and filtered power
Software security assurance
Network security controls via access privileges, dial-up versus dedicated lines
Controls of private and public network via network defense
Security of systems by standardized reviews and levels of security trust assurance
Auditing and monitoring of systems for vulnerabilities and accuracy
Use of evaluation standards to assess the quality of secure systems
Development and evaluation of security education, plans, policies, and procedures
SECURITY BASICS (Awareness Level)
Operations Security (OPSEC)
INFOSEC and OPSEC interdependency
SYSTEM OPERATING ENVIRONMENT (Awareness Level)
Agency Specific Security Policies
Guidance: points of contact, roles and responsibilities
NSTISS PLANNING AND MANAGEMENT (Performance Level)
Instructional Content
Discuss practical performance measures employed in designing security measures and programs.
Introduce generic security planning guidelines/documents
Security Planning
NSTISS program budget
NSTISS POLICIES AND PROCEDURES (Performance Level)
Physical Security Measures
Cabling, environmental controls (humidity and air conditioning), filtered power
Personnel Security Practices and Procedures
Contractors, security training and awareness (initial and refresher)
Software Security
Software security mechanisms to protect information (application security features, concept of least,
privilege, malicious logic protection, segregation of duties)
Administrative Security Procedural Controls
Construction, changing, issuing and deleting passwords, destruction of media, documentation, logs and
journals, emergency destruction, external marking of media, media downgrade and declassification,
preparation of security plans, reporting of computer misuse or abuse, repudiation, sanitization of media
transportation of media,
Auditing and Monitoring
Monitoring systems for accuracy and abnormalities, review of software design standards, verification,
validation, testing, and evaluation processes
iv
The following items as found in NSTISSI 4011, dated 20 June 1994 are specifically covered in
this class. See http://www.cnss.gov/Assets/pdf/nstissi_4011.pdf for details.
SECURITY BASICS (Awareness Level)
Topical Content
Operations Security (OPSEC)
INFOSEC and OPSEC interdependency
OPSEC process
unclassified indicators
SYSTEM OPERATING ENVIRONMENT (Awareness Level)
Topical Content
Agency Specific Security Policies
guidance
points of contact
roles and responsibilities
NSTISS POLICIES AND PROCEDURES (Performance Level)
Topical Content
Software Security
software security mechanisms to protect information (application security
features)
software security mechanisms to protect information (concept of least
privilege)
software security mechanisms to protect information (segregation of duties)
Administrative Security Procedural Controls
construction, changing, issuing and deleting passwords
destruction of media
documentation, logs and journals
emergency destruction
external marking of media
media downgrade and declassification
preparation of security plans
reporting of computer misuse or abuse
repudiation
sanitization of media
transportation of media
Auditing and Monitoring
monitoring systems for accuracy and abnormalities
review of software design standards
verification, validation, testing, and evaluation processes
v